Article Summary
The Pyramid of Pain is a cybersecurity framework that ranks threat indicators by how costly they are for attackers to change. This article breaks down all six levels—from hash values to TTPs—and offers a phased implementation playbook. You'll gain a clear strategy for shifting from reactive blocking to high-impact, behavior-focused defense.

“Attackers only need to succeed once; defenders must succeed every time”. If that feels like an impossible burden, then it’s time to shift your defensive strategy. We are in a new era of security operations, and the key to winning is not just blocking attacks, but making those attacks excruciatingly costly for the adversary.
If you’re looking to move from reactive blocking to strategic disruption, you need to know everything about a framework named the Pyramid of Pain. In this guide we’ll explore the six levels of the pyramid, practical defensive actions for each, and a phased playbook to implement TTP-focused defense.
What is the Pyramid of Pain in Cyber Security?
Created by security researcher David J. Bianco in 2013, the Pyramid of Pain is a foundational conceptual model that ranks indicators of compromise (IOCs) based on how difficult and costly they are for attackers to change when detected.
The Pyramid of Pain framework categorizes threat indicators across six hierarchical levels, from the base (least pain/easiest to change) to the apex (highest pain/hardest to change). As defenders interfere with elements higher up the hierarchy, adversaries experience greater difficulty adapting their tactics, techniques, and procedures (TTPs).
The big idea here is simple: not all indicators are equally valuable. True defensive impact comes from focusing on the highest levels of the pyramid, imposing greater operational friction on adversaries and forcing them to fundamentally alter their operations or abandon their attacks entirely.
The pyramid structure reflects a fundamental truth: the easier something is for defenders to detect, the easier it is for attackers to change. Understanding this relationship is crucial for allocating your finite resources strategically.
If you want to level up your cybersecurity career, check this out: Careers in Cybersecurity Roadmap
The Pyramid of Pain Explained
Here is a breakdown of the six levels, ascending from low to highest attacker pain:
Level 1 — Hash Values (Low Pain)
Hash values are unique identifiers (file fingerprints like MD5 or SHA) created from files, often used to detect specific malware.
- Attacker Effort: Very low. Attackers can easily change hash values by making minor modifications to the file or using different packing techniques, instantly rendering hash-based detection ineffective.
- Defensive Use: Block known malware. Integrate trusted threat intelligence feeds to auto-block known bad indicators. Recognize this as a tactical tool, not a strategic defense.
Level 2 — IP Addresses (Low Pain)
IP addresses represent the source or destination network location of traffic.
- Attacker Effort: Low. Adversaries can quickly change IPs using VPNs, proxies, or by switching compromised systems or spinning up new cloud infrastructure in minutes.
- Defensive Use: Short-term blocking and IP reputation checks. Use automation tools (like SIEM or SOAR) to auto-block known malicious IPs, freeing analysts for higher-value work. Blocking IP addresses can slow adversaries down, but it is relatively ineffective over time.
Level 3 — Domain Names (Moderate Pain)
Domain names are used for command and control (C2) or payload hosting.
- Attacker Effort: Moderate. Changing domains is more effort-intensive than changing IPs, as it requires registration, DNS propagation time, and reputation building. Dedicated attackers may register multiple domains or use dynamic DNS.
- Defensive Use: Domain reputation filtering, DNS monitoring, and takedowns where possible. Blocking malicious domains can disrupt communications temporarily. The goal here is to make adaptation harder and slower for adversaries.
Level 4 — Network/Host Artifacts (High Pain)
Artifacts are observable patterns, such as registry changes, specific file paths, dropped files, malicious processes, or unique traffic patterns (e.g., URI structures, user agent strings).
- Attacker Effort: High. These artifacts result from fundamental aspects of the attacker’s tools or techniques and are harder for them to change quickly. Retooling and behavior changes are required.
- Defensive Use: Detection engineering and host/network behavioral analytics. Detecting and blocking artifacts significantly impacts adversaries, forcing them to alter tools or operational tactics.
You can learn everything about the Pyramid of Pain and other frameworks here: The Complete Hands-On Cybersecurity Analyst Course
Level 5 — Tools (Very High Pain)
Tools refer to specific software or utilities used by the adversary, such as malware families, remote access trojans (RATs), or exploit frameworks (like Cobalt Strike or Metasploit).
- Attacker Effort: Very high. Developing or acquiring new, effective tools is costly and time-consuming, requiring substantial expertise.
- Defensive Use: Disrupt tooling, share tooling indicators, and utilize honeypots. Detecting specific tools imposes significant pain, forcing adversaries to reevaluate their operational methods.
Level 6 — Tactics, Techniques, and Procedures (TTPs) (Highest Pain)
TTPs represent the attacker’s overall playbook and workflow: the “how,” not just the “what”. This includes methodologies captured in frameworks like MITRE ATT&CK.
- Attacker Effort: Very high / operational overhaul. Altering TTPs is complex and costly because it forces adversaries to fundamentally change how they operate, requiring extensive planning and reorganization.
- Defensive Use: Threat hunting, MITRE ATT&CK mapping, and behavioral detections. This is your strategic focus.
Learn MITRE ATT&CK and discover core concepts of CTI and SOC: MITRE ATT&CK Framework
Why Prioritize the Top of the Pyramid
Here’s the hard truth: almost all Indicators of Compromise (IOCs)—hashes, IPs, and domains—are transitory; they lose value over time. The exception is attacker behavior, or TTPs.
Many security tools and teams historically focused on Levels 1 and 2, but sophisticated attackers adapt too quickly. If an attacker’s malware hash is blocked, they can simply recompile it. If their C2 IP is blocked, they migrate their infrastructure.
However, if your team detects the technique they use—for instance, disrupting their method for lateral movement via WMI, or blocking their specific credential dumping behavior—the attacker must rethink their entire approach, which can take months and massive resources.
The benefits of focusing on the TTPs are the following:
- Persistence and Predictability: TTPs are persistent because threat actors rely on established methodologies; one TTP detection covers many future campaigns.
- Maximum Disruption: Targeting TTPs imposes the highest operational cost and forces a complete attack retooling.
- Measurable Impact: Modern security operations centers implementing pyramid principles report a 60% reduction in successful attacks when prioritizing TTP-level detection. Furthermore, organizations can see a 30% increase in attacker operational costs.1
Applying the Pyramid of Pain in Real Life: Your Strategic Playbook
Understanding the Pyramid of Pain is only half the battle; the real power comes from turning this theory into actionable strategy.
1. Automate the Easy Wins (Levels 1 & 2)
Your primary goal at the base of the pyramid is efficiency. Stop wasting analyst cycles chasing indicators that will be stale by tomorrow.
- Action: Handle the bottom of the pyramid—hashes and IPs—with automation. Integrate trusted threat intelligence feeds directly into your SIEM, firewall, or EDR.
- Strategy: Use playbooks and SOAR tools to auto-block known bad indicators. This quick win demonstrates program value and builds momentum.
- Goal: Free up your analysts to focus on higher-value work at Level 4 and above. Automation should handle 80–90% of hash and IP-based detection.1
2. Investigate Patterns, Not Just Events (Levels 3 & 4)
Move beyond single alerts and start looking for patterns in domains and artifacts. This is where Security Engineers shine by enhancing detection rules.
- Action: Group related domains or track recurring patterns in host behaviors (e.g., specific registry changes or file paths associated with persistence).
- Strategy: Develop detection rules for common network and host artifacts associated with prevalent threats. Use SOAR platforms to automate the correlation of these middle-level indicators, which can reduce manual analysis requirements by 80–90%.1
- Goal: Make adaptation harder and slower for attackers, forcing them to alter specific tools and behaviors.
3. Think in TTPs, Not Indicators (Levels 5 & 6)
The top of the pyramid is where adversaries feel real pain.
- Action: Map your detection strategy directly to the MITRE ATT&CK framework. Build behavioral rules that catch how attackers operate (TTPs), not just what specific tool (Level 5) they use.
- Strategy: Implement advanced behavioral analytics and machine learning models to identify anomalous behaviors. Leverage frameworks like MITRE’s Summiting the Pyramid (STP) methodology, which quantifies detection robustness based on resistance to evasion techniques.
- Goal: Force attackers to redesign their operations entirely, delivering maximum defensive value.
4. Test and Refine (Purple Team Validation)
For Purple Team Members, the Pyramid of Pain offers a structured way to plan realistic attack simulations and validate your security controls.
- Action: Even small exercises strengthen your defense posture. Use safe lab environments (like tryhackme or Atomic Red Team) to simulate attacks against your controls. Want to learn through gamified labs and CTF exercises? Enroll in any of these courses: TryHackMe | Cybersecurity Skill Enhancer or HackTheBox & TryHackMe: Cybersecurity Upskilling Platforms.
- Validation Strategy: Systematically emulate attacker activities at each pyramid level to identify gaps.
- Hashes: Transfer known malware samples across endpoints to verify EDR detection.
- IPs/Domains: Simulate connections to known malicious IPs and domains (e.g., 6.6.6.6 or geek.com) to test firewalls and DNS filtering.
- Artifacts: Replicate observable network traffic patterns (C2 protocols) or generate specific host-based observables (registry changes).
- TTPs: Conduct full, multi-stage attack scenarios mapped to MITRE ATT&CK (e.g., spear phishing followed by credential dumping) to assess if security controls capture the entire behavior pattern.
- Goal: Continuously validate that your security stack triggers detections at the right, most painful pyramid levels.
Roadmap: From Beginner to Expert
Adopting a pyramid-focused strategy requires a mindset shift: from asking “what did they use?” to “how do they think?”. This strategic implementation generally occurs in phases over 3–6 months.
| Phase | Duration | Focus Area | Goal |
| Quick Wins (Phase 1) | 1–2 Months | Inventory tools by pyramid level; plug obvious detection gaps. Automate Hash/IP blocking. | Establish foundational capability and free up analyst capacity. |
| Medium Term (Phase 2) | 2–4 Months | Enhance detection of middle-level indicators (Domains/Artifacts). Build hunting capability and orchestration for Levels 1–3/4. | Make adaptation harder for adversaries; reduce manual analysis by 80–90%.1 |
| Long Term (Phase 3) | 4–6 Months+ | Invest heavily in detection engineering, threat intel sharing, and TTP-focused behavioral analytics. Integrate with MITRE ATT&CK. | Achieve the highest defensive value and force attackers to fundamentally redesign their playbooks. |
Success Metrics for this strategic shift include: Mean time to detect (MTTD), Attacker dwell time (reducing from weeks to days), and the number of disrupted attack chains.
Embrace The Pyramid of Pain Framework
The Pyramid of Pain framework has evolved from a conceptual idea into an operational cornerstone. Its elegance lies in its simplicity: the harder an indicator is for attackers to change, the more valuable it is for you, the defender, to detect.
By embracing this model, you transform your Security Operations Center (SOC) from a reactive, indicator-chasing machine into a proactive, strategic hunting force. By shifting resources toward behavioral detection and TTP identification (Levels 4, 5, and 6), you don’t just block tomorrow’s attack; you increase the long-term operational cost of cybercrime itself.
The journey up the pyramid requires investment and patience, but the return is clear: measurable improvements in security outcomes, including a 60% reduction in successful attacks1 for TTP-focused programs.
The path forward is clear: automate the base, correlate the middle, and hunt the apex. Every step you take up the pyramid increases defensive value and adversary frustration, ensuring you tilt the cybersecurity balance back toward the defender.
SOURCES
1. Pyramid of Pain: Prioritize Detection by Maximizing Attacker Cost. Vectra. https://www.vectra.ai/topics/pyramid-of-pain